mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-12 22:10:25 +00:00
1ddd5faa5c
Currently authentication methods return information in two forms: they return who was authenticated as a `*user_model.User`, and then they insert key-values into `ctx.Data` which has critical impact on how the authenticated request is treated. This PR changes the authentication methods to return structured data in the form of an `AuthenticationResult`, with all the key-value information in `ctx.Data` being moved into methods on the `AuthenticationResult` interface. Authentication workflows in Forgejo are a real mess. This is the first step in trying to clean it up and make the code predictable and reasonable, and is both follow-up work that was identified from the repo-specific access tokens (where the `"ApiTokenReducer"` key-value was added), and is pre-requisite work to future JWT enhancements that are [being discussed](https://codeberg.org/forgejo/forgejo/issues/3571#issuecomment-13268004). ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - All changes, at least in theory, are refactors of existing logic and are not expected to have functional deviations -- existing regression tests are the only planned testing. - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12202 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
200 lines
6.4 KiB
Go
200 lines
6.4 KiB
Go
// Copyright 2024 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package shared
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
auth_model "forgejo.org/models/auth"
|
|
"forgejo.org/modules/log"
|
|
"forgejo.org/modules/setting"
|
|
"forgejo.org/routers/common"
|
|
"forgejo.org/services/auth"
|
|
auth_method "forgejo.org/services/auth/method"
|
|
"forgejo.org/services/authz"
|
|
"forgejo.org/services/context"
|
|
|
|
"github.com/go-chi/cors"
|
|
)
|
|
|
|
func Middlewares() (stack []any) {
|
|
stack = append(stack, securityHeaders())
|
|
|
|
if setting.CORSConfig.Enabled {
|
|
stack = append(stack, cors.Handler(cors.Options{
|
|
AllowedOrigins: setting.CORSConfig.AllowDomain,
|
|
AllowedMethods: setting.CORSConfig.Methods,
|
|
AllowCredentials: setting.CORSConfig.AllowCredentials,
|
|
AllowedHeaders: append([]string{"Authorization", "X-Gitea-OTP", "X-Forgejo-OTP"}, setting.CORSConfig.Headers...),
|
|
MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),
|
|
}))
|
|
}
|
|
return append(stack,
|
|
context.APIContexter(),
|
|
|
|
checkDeprecatedAuthMethods,
|
|
// Get user from session if logged in.
|
|
apiAuthentication(buildAuthGroup()),
|
|
apiAuthorization,
|
|
verifyAuthWithOptions(&common.VerifyOptions{
|
|
SignInRequired: setting.Service.RequireSignInView,
|
|
}),
|
|
)
|
|
}
|
|
|
|
func buildAuthGroup() *auth_method.Group {
|
|
group := auth_method.NewGroup(
|
|
&auth_method.OAuth2{},
|
|
&auth_method.HTTPSign{},
|
|
&auth_method.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API
|
|
)
|
|
if setting.Service.EnableReverseProxyAuthAPI {
|
|
group.Add(&auth_method.ReverseProxy{})
|
|
}
|
|
|
|
return group
|
|
}
|
|
|
|
func apiAuthentication(authMethod auth.Method) func(*context.APIContext) {
|
|
return func(ctx *context.APIContext) {
|
|
ar, err := common.AuthShared(ctx.Base, nil, authMethod)
|
|
if err != nil {
|
|
ctx.Error(http.StatusUnauthorized, "APIAuth", err)
|
|
return
|
|
}
|
|
if ar == nil {
|
|
ctx.Error(http.StatusInternalServerError, "apiAuthentication nil authentication result", errors.New("nil authentication result"))
|
|
return
|
|
}
|
|
ctx.Doer = ar.User()
|
|
ctx.IsSigned = ctx.Doer != nil
|
|
ctx.Authentication = ar
|
|
}
|
|
}
|
|
|
|
func apiAuthorization(ctx *context.APIContext) {
|
|
if hasScope, scope := ctx.Authentication.Scope().Get(); hasScope {
|
|
publicOnly, err := scope.PublicOnly()
|
|
if err != nil {
|
|
ctx.Error(http.StatusForbidden, "tokenRequiresScope", "parsing public resource scope failed: "+err.Error())
|
|
return
|
|
}
|
|
ctx.PublicOnly = publicOnly
|
|
}
|
|
|
|
reducer := ctx.Authentication.Reducer()
|
|
if reducer != nil {
|
|
ctx.Reducer = reducer
|
|
} else {
|
|
// No Reducer will be populated if the auth method wasn't an PAT. In this case, we populate `ctx.Reducer` so no
|
|
// nil checks are needed, and we respect the scope `PublicOnly()` so that it it's safe to just rely on
|
|
// `ctx.Reducer` to account for public-only access:
|
|
if ctx.PublicOnly {
|
|
ctx.Reducer = &authz.PublicReposAuthorizationReducer{}
|
|
} else {
|
|
ctx.Reducer = &authz.AllAccessAuthorizationReducer{}
|
|
}
|
|
}
|
|
}
|
|
|
|
// verifyAuthWithOptions checks authentication according to options
|
|
func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.APIContext) {
|
|
return func(ctx *context.APIContext) {
|
|
// Check prohibit login users.
|
|
if ctx.IsSigned {
|
|
if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {
|
|
ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
|
|
ctx.JSON(http.StatusForbidden, map[string]string{
|
|
"message": "This account is not activated.",
|
|
})
|
|
return
|
|
}
|
|
if !ctx.Doer.IsActive || ctx.Doer.ProhibitLogin {
|
|
log.Info("Failed authentication attempt for %s from %s", ctx.Doer.Name, ctx.RemoteAddr())
|
|
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
|
|
ctx.JSON(http.StatusForbidden, map[string]string{
|
|
"message": "This account is prohibited from signing in, please contact your site administrator.",
|
|
})
|
|
return
|
|
}
|
|
|
|
if ctx.Doer.MustChangePassword {
|
|
ctx.JSON(http.StatusForbidden, map[string]string{
|
|
"message": "You must change your password. Change it at: " + setting.AppURL + "/user/change_password",
|
|
})
|
|
return
|
|
}
|
|
|
|
if ctx.Doer.MustHaveTwoFactor() {
|
|
hasTwoFactor, err := auth_model.HasTwoFactorByUID(ctx, ctx.Doer.ID)
|
|
if err != nil {
|
|
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
|
|
log.Error("Error getting 2fa: %s", err)
|
|
ctx.JSON(http.StatusInternalServerError, map[string]string{
|
|
"message": fmt.Sprintf("Error getting 2fa: %s", err),
|
|
})
|
|
return
|
|
}
|
|
if !hasTwoFactor {
|
|
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
|
|
ctx.JSON(http.StatusForbidden, map[string]string{
|
|
"message": ctx.Locale.TrString("error.must_enable_2fa", fmt.Sprintf("%suser/settings/security", setting.AppURL)),
|
|
})
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
// Redirect to dashboard if user tries to visit any non-login page.
|
|
if options.SignOutRequired && ctx.IsSigned && ctx.Req.URL.RequestURI() != "/" {
|
|
ctx.Redirect(setting.AppSubURL + "/")
|
|
return
|
|
}
|
|
|
|
if options.SignInRequired {
|
|
if !ctx.IsSigned {
|
|
// Restrict API calls with error message.
|
|
ctx.JSON(http.StatusForbidden, map[string]string{
|
|
"message": "Only signed in user is allowed to call APIs.",
|
|
})
|
|
return
|
|
} else if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {
|
|
ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
|
|
ctx.JSON(http.StatusForbidden, map[string]string{
|
|
"message": "This account is not activated.",
|
|
})
|
|
return
|
|
}
|
|
}
|
|
|
|
if options.AdminRequired {
|
|
if !ctx.IsUserSiteAdmin() {
|
|
ctx.JSON(http.StatusForbidden, map[string]string{
|
|
"message": "You have no permission to request for this.",
|
|
})
|
|
return
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// check for and warn against deprecated authentication options
|
|
func checkDeprecatedAuthMethods(ctx *context.APIContext) {
|
|
if ctx.FormString("token") != "" || ctx.FormString("access_token") != "" {
|
|
ctx.Resp.Header().Set("Warning", "token and access_token API authentication is deprecated and will be removed in Forgejo v13.0.0. Please use AuthorizationHeaderToken instead. Existing queries will continue to work but without authorization.")
|
|
}
|
|
}
|
|
|
|
func securityHeaders() func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
|
|
// CORB: https://www.chromium.org/Home/chromium-security/corb-for-developers
|
|
// http://stackoverflow.com/a/3146618/244009
|
|
resp.Header().Set("x-content-type-options", "nosniff")
|
|
next.ServeHTTP(resp, req)
|
|
})
|
|
}
|
|
}
|